Executive Summary

CVE-2026-33174 is a denial of service (DoS) vulnerability in the Active Storage component of Ruby on Rails. It occurs when the proxy controller serving files loads the entire requested byte range into memory before sending it. If an attacker sends a request with a very large or unbounded HTTP Range header (for example, bytes=0-), the server may allocate memory proportional to the full file size, potentially exhausting server memory.

The vulnerability arises because there was no limit on the size of byte ranges requested for streaming blobs, allowing attackers to cause excessive memory usage.

The fix introduces a configurable maximum streaming chunk size (defaulting to 100 megabytes) and validates requested byte ranges against this limit. Requests exceeding this limit are rejected with an HTTP 416 Range Not Satisfiable response, preventing memory exhaustion.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) on your Rails application using Active Storage. By sending requests with very large or unbounded byte ranges, the attacker can force the server to allocate excessive memory proportional to the size of the requested file.

Such memory exhaustion can degrade server performance, cause crashes, or make the application unavailable to legitimate users.

The patch mitigates this risk by limiting the maximum size of byte ranges that can be requested, thus preventing attackers from overwhelming server resources.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests to the Rails Active Storage proxy controller for suspicious or excessively large Range headers, such as requests with unbounded or very large byte ranges (e.g., bytes=0-).'}, {'type': 'paragraph', 'content': 'Specifically, look for HTTP requests with Range headers requesting large or unbounded byte ranges that could cause the server to load large amounts of data into memory.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to identify such requests.'}, {'type': 'list_item', 'content': "Use command-line tools like `grep` or `awk` on web server logs to find requests with Range headers, for example: `grep -i 'Range:' /path/to/access.log`"}, {'type': 'list_item', 'content': 'Use packet capture tools like `tcpdump` or `Wireshark` to filter HTTP requests containing Range headers.'}, {'type': 'list_item', 'content': 'Use curl to simulate requests with large or unbounded Range headers to test if the server responds with HTTP 416 status code, indicating the patch is active: `curl -I -H "Range: bytes=0-" https://yourserver/path/to/blob`'}] [1, 2, 3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Rails Active Storage to a patched version that includes the fix for CVE-2026-33174.

• Upgrade to Rails versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later, which contain the patch.

The patch introduces a configurable maximum streaming chunk size (defaulting to 100 megabytes) that limits the size of byte ranges served, preventing memory exhaustion.

• Configure or verify the `ActiveStorage.streaming_chunk_max_size` setting to ensure it is set to a safe value (default 100 MB).

If upgrading immediately is not possible, consider implementing network-level protections such as rate limiting or blocking suspicious requests with large Range headers to reduce the risk of exploitation.

Useful 0 Not Useful 0